Skip to main content
Version: 4.4.x.x RR (Android, iOS) / 4.5.x.x RR (Flutter) / 5.x.x.x RR (React Native)

Secure storage

The Secure Storage component ensures that sensitive data is managed securely on the device. The most important data to protect is the private key, which is generated during registration and accessed in subsequent FIDO operations. In this regard, secure storage includes the following:

The private key used for FIDO UAF is completely managed by the hardware-backed Keystore on Android, and by the Secure Enclave on iOS. This storage option is possible only if the device is configured to use a lock screen.

Key material used for push notification encryption and signing. Other additional sensitive data used in the FIDO UAF context is stored securely in Shared Preferences on Android, and in the Keychain on iOS.

The hashed application PIN, used by the Application PIN Authenticator, is also stored securely in the Shared Preferences and Keychain. The same applies to the password authenticator.

To provide additional protection of the private key, the device offers the option of binding the key with user authentication. In this configuration, the user must always authenticate if access to the private key is needed. To authenticate, the user must provide one of the system-defined credentials such as the ones listed for the device lock screen.

info

The SDK verifies and enforces the presence of secure storage.

  • On iOS, this is enforced by requiring iOS 11, which only runs on iPhones with the Secure Enclave present.
  • On Android, SDK initialization fails at runtime, if no secure storage is available.

Some devices miss the required secure storage. For details, see the Device Support section of the Access App documentation.

Android StrongBox

With Android version 9 (API Level 28) or higher, the SDK attempts to store the key material in StrongBox, a dedicated hardware security module (HSM) that is physically separate from the main SoC. If StrongBox is not available or key creation fails, the SDK falls back to the TEE (Trusted Execution Environment) - a secure isolated environment on the main SoC. Both options are hardware-backed: the private key never leaves the secure hardware in either case.

StrongBox storage of key material cannot be guaranteed because it depends not only on the Android version, but also on:

  • Vendor hardware support for StrongBox.
  • StrongBox support of the key algorithms used by the SDK.
info

StrongBox explicitly refers to devices such as embedded Secure Elements (eSE) or on-SoC secure processing units (iSE). For a full comparison of StrongBox and TEE, including the security implications of each option and guidance on when to opt out, see StrongBox on Android.

tip

Due to the rather ambiguous wording, we provide a code snippet allowing you to check whether the key material is stored in StrongBox.

Last updated on